May, 2008

I've been working with the SWI team to write a comprehensive overview of the SQL Storm attacks with guidance for IT administrators, developers, and end users. That article is posted at sql-injection-attack.aspx . For developers, specifically, Bala...

My colleague Greg , who has forgotten more about command line scripting than I will ever know, put together a sample on CodePlex that automates finding SQL injection attacks from the ongoing mass SQL injection attack ("SQL Storm", as I saw it...

(Part 1 is here )
Previously, I provided a simple example of using parameterized queries in classic ASP; however, that sample lacked a few things such as explicit typing for the parameters. It also created a read-only ADODB.RecordSet which, obviously...

Michael Howard wrote an excellent article yesterday on how the SDL addresses SQL injection . He walks through three coding requirements/defenses:
Use SQL Parameterized Queries
Use Stored Procedures
Use SQL Execute-only Permissions
As Michael...